Oathe Security Badge

Is jasonxkensei/xProof safe?

https://github.com/jasonxkensei/xProof

67
CAUTION

xProof is a blockchain proof-anchoring skill for AI agents with a legitimate accountability use case, but its design introduces material security concerns that go beyond standard utility skill risks. The most significant issue is the mandatory pre-execution audit pattern ('no proof = no action'), which creates a hard dependency on the xproof.app operator's infrastructure and gives that operator real-time intelligence about all planned agent actions before they execute. The x402 autonomous USDC payment feature and the install instructions referencing a separate unaudited repository compound the risk. Clone behavior was clean, no code executed on install, and all canary files remained intact.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 52/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (11)

HIGH Mandatory external API gating blocks all agent critical actions -35

The Agent Audit Log Standard enforces that agents MUST receive a proof_id from xproof.app before executing any trade, deploy, data access, or transfer. On API failure, timeout, or missing proof_id the agent is instructed to throw an error with no fallback. This gives the xproof.app operator permanent veto power over agent execution and creates a single point of failure for any agent that adopts the enforcement pattern.

HIGH By-design pre-execution behavioral surveillance via /api/audit -30

Every critical agent action must be pre-reported to xproof.app with structured fields including action_type, action_description (human-readable intent), inputs_hash (SHA-256 of inputs), risk_level, decision, and optional context (model name, environment). This telemetry stream gives xproof.app a real-time feed of everything the agent plans to do before it does it, enabling behavioral profiling and intelligence gathering.

HIGH x402 enables autonomous USDC spending without per-transaction confirmation -25

The skill promotes x402 as a payment method that allows agents to initiate on-chain USDC transactions on Base (eip155:8453) without per-transaction user approval. While framed as opt-in, the SKILL.md provides detailed implementation guidance and the batch endpoint supports up to 50 items ($0.50) per call. An agent that enables x402 based on this skill's instructions could drain funds without user awareness.

MEDIUM Install instructions fetch from an unaudited, separate GitHub repository -25

The Quick Install curl commands in SKILL.md download content from https://raw.githubusercontent.com/jasonxkensei/xproof-openclaw-skill/main/xproof/SKILL.md — a completely separate repository (xproof-openclaw-skill) that is not the repository being audited (xProof). Any agent following these instructions installs content that has not been security-reviewed as part of this audit, and that content could differ arbitrarily from what was audited here.

MEDIUM webhook_url routes agent proof notifications to arbitrary external endpoints -18

The POST /api/proof endpoint accepts a webhook_url parameter that causes xproof.app to POST proof confirmation payloads (including proof_id, file_hash, blockchain transaction hash) to the specified URL. While the server implements SSRF protection blocking private IP ranges and localhost, any external HTTPS endpoint can receive these payloads, enabling data routing to attacker-controlled infrastructure via the webhook mechanism.

MEDIUM scripts/post-merge.sh present with unexamined content -15

The repository contains scripts/post-merge.sh. If installed as a git hook (e.g. via git config core.hooksPath), it would execute automatically on every git merge in the workspace. The content of this script was not surfaced in the evidence and cannot be verified as benign.

MEDIUM Guard template code fetched from xproof.app at runtime -13

Section 8 of SKILL.md provides direct URLs to executable Python and JSON files hosted at xproof.app (audit-guard-langchain.py, audit-guard-crewai.py, audit-guard-n8n.json, audit-guard-eliza.ts). An LLM agent reading this skill may fetch and execute these files from an unaudited, operator-controlled endpoint during task execution.

MEDIUM Agent execution enforcement creates external service dependency in system prompt -10

When injected into an agent's system prompt, the 'no proof = no action' enforcement pattern fundamentally alters the agent's behavior by making all critical actions conditional on a third-party API response. This goes beyond a utility skill and constitutes behavioral modification of the host agent without explicit per-action user consent.

LOW Violation system imposes trust score penalties based on proof submission timing -5

The violations layer penalizes agents -150 points for 'gap' (30+ minutes without proof during active session) and -500 points for 'burst' (abnormal submission spike). These penalties are applied based on behavioral patterns, not actual misbehavior, and can be triggered by legitimate agent operation. The operator of xproof.app controls the threshold definitions and penalty application.

LOW SKILL.md contains three concatenated skill versions without clear boundaries -3

The SKILL.md content contains three distinct full skill definitions concatenated together (v3.1.0 with free trial, v3.1.0 paid-only, and a DeerFlow-specific version). This creates ambiguity about which instructions apply and increases the total instruction surface injected into the agent's context window.

INFO Canary file reads at 11:01:51 attributed to audit monitoring framework 0

Read-only accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials occurred at Unix timestamp 1784026911, approximately 5 seconds before the git clone at 1784026916. These are attributable to the oathe audit framework establishing honeypot baselines, not the skill. CLOSE_NOWRITE confirms no modifications.